My setup:
Code:
+--------+ +--------+
|internet| |internet|
+----|---+ +---|----+
| |
| |
+---------|---------+ +--------|---------+
| adj.router | | 93.27.123.23 |
| (VPN server) | | lan router |
| 10.10.10.1 | |(nat and port fwd)|
+---------|---------+ | 192.168.1.1 |
| +--------+---------+
| |
| |
+---------|------------------------|----------+
| | | |
| tun0 em0 |
| 10.10.10.77 192.168.1.200 |
| (default route) | | |
| | | |
| +--------------+ +----|---+---|---+ |
| | client tools | |80:HHTPD|21:SSHD| |
| +--------------+ +--------+-------+ |
| |
+---------------------------------------------+
I want to keep my srv daemons beeing accessible by static ip (93.27.123.23) while all other communication going out via tun0.
Lan router is having port forwards to daemons on the host. When the openvpn (as client) is running it sets the route for 0.0.0.0 to its gateway and becoase of this (at least i speculate this is the reason), the SYN comes from the internet to em0 but ACK leaves the server via tun0. I believe the pf reply-to should be able to enforce tcp packets leaving on the same interface where the tcp session was established but except from regularly killing my networking i wasnt able to configure it
Can someone please help me, i cant post rules i have written until now as my network is down again and i am on remote location
Once i get to the console, i'll also provide netstat -r